Tag Archives: law

A version of this article originally appeared on the EFF’s Deep Links blog

Earlier this month, an inmate in Texas was denied access to computers and an electronic messaging system because he ordered a copy of the information security handbook Hacking Exposed. Does simply ordering a copy of an information security handbook render an individual a threat to the safe, secure, and orderly operation of a federal prison? Almost certainly not.

Hacking Exposed was written by three well-respected information security professionals, two of whom work at McAfee, and is intended to educate infosec professionals about the threat landscape. But the warden of the prison, and subsequently a federal district court, found that just by ordering the book, Reginald Green constituted a substantial enough threat to the orderly running of the prison to ban him from accessing the TRULINCS electronic messaging system or using computers for the rest of his incarceration. Could the exploit information contained within Hacking Exposed be misused in the right environment? Sure, but so could lots of other things, like the hammers in the prison workshop or the weights in the prison gym.

This is an unfortunate, aggressive reaction to the social concept of “the hacker,” without pausing to consider the facts of the case. If the book had been called “Offensive Information Security” instead of “Hacking Exposed,” would it have been confiscated, or Mr. Green deemed a threat? We’ve seen many examples of security researchers and others calling themselves hackers and falling under undue and aggressive legal scrutiny because their motives and actions were misconstrued. This is in part because the term “hacker” can, in general parlance, mean anything from a DIY enthusiast building portable chargers in Altoids tins to a hardcore cybercriminal selling stolen credit card numbers on a deep web message board. Individuals either calling themselves hackers or dubbed so by the media have been repeatedly targeted for publishing information on how to jailbreak your own devices. For example, Sony sued members of the hacker group fail0verflow after they revealed at CCC that they’d mathematically calculated the keys Sony uses to ensure only approved code runs on the PS3. In the same suit, Sony also sued George Hotz, better known as GeoHot, jailbreaker of the iPhone, for publishing the PS3 root key, even though he made clear he didn’t do so to enable people to run pirated games. People have also been targeted for offering jailbreaking services commercially. For instance, prosecutors brougth criminal charges against Matthew Crippen for modding XBOX 360s to run DRM-free games, which were ultimately dismissed.

Whether you call them hackers, makers, tinkerers, or information security researchers, people on the hacking spectrum have been a boon to society for decades. They power innovation in all sectors and operate as a valuable check on the security and stability of the technology that forms the basis for our modern society. Their curiosity drives our economy and challenges entrenched corporate and governmental interests. However, the word “hacker” has changed since its origins in creative prank culture and innovative computing at MIT, and is now popularly used, more often than not, as a pejorative one that encourages fear-based knee-jerk reactions. Hackers are used as go-to villains by policy makers, who wave the nightmare scenario of rampant cybercrime and imminent cyberwar to justify legislative proposals that threaten to encroach on your digital civil liberties.

Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposed book, the warden in this case appears to have latched onto the word “Hacking” and overreacted. The security paranoia displayed in banning Mr. Green from the TRULINCS electronic messaging system and access to computers entirely also doesn’t bode well for their information security practices. Theoretically, if the Bureau of Prisons is truly concerned about users within the prison system compromising TRULINCS, it ought to have measures in place to prevent users from, say, uploading or downloading attachments, installing and running programs, accessing the Internet, or gaining admin access to the workstation or local network. If the system does potentially allow these actions, and is relying on the lack of knowledge in its user group to protect itself (aka security by obscurity), then that is a much bigger problem than one guy ordering one book. A Bureau of Prisons memo (http://www.bop.gov/policy/progstat/5265_013.pdf), states that an inmate can be banned from the system if they have “special skills or knowledge” of computers or the internet. Unless those skills or knowledge were used in the commission of a crime, the BOP wouldn’t necessarily be aware that an individual possessed those skills. So rather than strengthening the TRULINCS system against unknown, potentially strong actors (people who enter the system with “special skills and knowledge” or outside attackers), the BOP here appears to be opting to take punitive action against a known weak actor (if he had the requisite skills and knowledge to compromise the network, one would assume he wouldn’t have needed the book).

What is being attacked here is the ability of individuals to pursue technical knowledge. Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposedbook, the warden in this case appears to have latched onto the word “hacking” and overreacted.

A few weeks ago, my Networked Social Movements class went on a field trip to observe the protests against the then-proposed, now-passed cuts to the MBTA, the public transit system here in Boston. While there, I saw and heard lots of people, in chants, slogans, and speeches, making statements along the lines of, “Public transit is a right.”

I don’t agree that public transit is a right. I believe that public transit is awesome, I enjoy it and I wish there was more of it, both in Boston and nationwide. It would be more accurate to say that I believe that public transit is a public/social good (in fact, in discussing these questions with some of my labmates, we came up with an alternate chant, “Public transit is a public good/From downtown to the hood,” which we’re rather proud of). But my opinions of how public transit fits into the social construct are not what I want to talk about right now.

The question I primarily came away with that day is how the rhetoric of “rights” affect civil discourse. When we call something as a “right,” how does that affect how we discuss that particular thing? How does calling things that may not necessarily be rights affect how we talk about other things we consider rights, or future debates about rights? Does it act as a diluting force? How do we deal with rights, or potential rights, that are fundamentally matters of technological empowerment, rather than innate (dare I say, inalienable) capacities and aspects of the human condition?

A similar debate arose last summer, when the UN released a report which classified internet access as a human right. This lead to a great deal of debate in the online community, particularly on the issue of, if internet access *itself* was a human right (as opposed to, say, the ability to freely communicate and assemble), how does that obligate governments to facilitate global access to the internet. That report was primarily written in response to laws passed in France and the United Kingdom, which had recently passed laws which removed internet access for people repeatedly accused of violated copyright by downloading movies and such. This brings up the question, did the UN report consider internet access a human right only in situation where the access was already available? How does that construction (technologically-enabled rights only become rights when the technology becomes independently available in the market place) affect the conception of a human right?

Both public transit systems and the internet are technological systems which can be said to enable and facilitate rights which are widely recognized as human rights: the right to freedom speech and the right to freedom of movement (here I’m referring to the Universal Declaration of Human Rights for “widely recognized rights”). When do technological systems which facilitate rights become rights themselves? Are public transit systems and the internet fundamentally different than the justice system or modern medical technology, both of which are mentioned in the Universal Declaration of Human Rights (Articles 11 and 25), different enough that their status as “rights” should be different?

I am at the “whole lot of questions” stage of thinking about this issue. If you have thoughts on the nature of human rights as relates to technological systems, please share them in the comments!